lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Mar 2024 08:31:16 -0600
From: Seth Forshee <sforshee@...nel.org>
To: Roberto Sassu <roberto.sassu@...weicloud.com>
Cc: zohar@...ux.ibm.com, dmitry.kasatkin@...il.com,
	eric.snowberg@...cle.com, paul@...l-moore.com, jmorris@...ei.org,
	serge@...lyn.com, linux-integrity@...r.kernel.org,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
	Roberto Sassu <roberto.sassu@...wei.com>, stable@...r.kernel.org,
	linux-fsdevel@...r.kernel.org,
	Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH] evm: Change vfs_getxattr() with __vfs_getxattr() in
 evm_calc_hmac_or_hash()

On Thu, Mar 07, 2024 at 01:22:39PM +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@...wei.com>
> 
> Use __vfs_getxattr() instead of vfs_getxattr(), in preparation for
> deprecating using the vfs_ interfaces for retrieving fscaps.
> 
> __vfs_getxattr() is only used for debugging purposes, to check if kernel
> space and user space see the same xattr value.

__vfs_getxattr() won't give you the value as seen by userspace though.
Userspace goes through vfs_getxattr() -> xattr_getsecurity() ->
cap_inode_getsecurity(), which does the conversion to the value
userspace sees. __vfs_getxattr() just gives the raw disk data.

I'm also currently working on changes to my fscaps series that will make
it so that __vfs_getxattr() also cannot be used to read fscaps xattrs.
I'll fix this and other code in EVM which will be broken by that change
as part of the next version too.

> 
> Cc: stable@...r.kernel.org # 5.14.x
> Cc: linux-fsdevel@...r.kernel.org
> Cc: Christian Brauner <brauner@...nel.org>
> Cc: Seth Forshee (DigitalOcean) <sforshee@...nel.org>
> Fixes: 907a399de7b0 ("evm: Check xattr size discrepancy between kernel and user")
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
>  security/integrity/evm/evm_crypto.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
> index b1ffd4cc0b44..168d98c63513 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -278,8 +278,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
>  		if (size < 0)
>  			continue;
>  
> -		user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry,
> -					       xattr->name, NULL, 0);
> +		user_space_size = __vfs_getxattr(dentry, inode, xattr->name,
> +						 NULL, 0);
>  		if (user_space_size != size)
>  			pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n",
>  				 dentry->d_name.name, xattr->name, size,
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ